The following excerpt, courtesy of Elsevier Digital Press, is from Chapter 5 of the book "Windows Server 2003 security infrastructures" written by Jan De Clercq. Click for the complete book excerpt series or purchase the book.

Download this free guide

Enhancing digital customer engagement with CRM

Learn about customer relationship management has evolved towards engaging with customers through every channel, with digital at the forefront.

In Windows Server 2003, Microsoft has added additional information in the TDO account objects to enable interforest authentication traffic. Let's look at an example that shows how Windows Server 2003 uses the extra information stored in the TDO to route Kerberos authentication requests during a cross-forest resource access.

In the example (illustrated in Figure 5.19), a user that is logged on to the emea.compaq.com domain (the user and machine accounts are defined in emea.compaq.com) wants to access a resource located on a server in the us.hp.com domain. Both forests are at functionality level 2, and a bidirectional forest trust relationship has been set up between them. From a Kerberos point of view, the user is already logged on to the emea.compaq.com domain and has a valid TGT. The remote resource is identified using an SPN of the following format:
/us.hp.com.

In this example the authentication requests will be routed as follows:

1. The user's machine contacts the local DC to request a Kerberos service ticket for the resource in the us.hp.com domain. The DC in emea.compaq.com cannot find an entry for the remote service in its local domain database and asks a GC server in the emea.compaq.com for help. The GC suspects (based on the DNS suffix) that the service is located in the hp.com forest, and it sends this routing hint to the DC and tells the DC to refer the user to a DC in the compaq.com root domain.

Figure 5.19Forest trust authentication flow.

2. The user's machine contacts a DC in the root domain of the compaq. com forest. This DC refers the user to a DC in the root domain of the hp.com forest.
3. The user's machine contacts a DC in the root domain of the hp.com forest. The DC of the hp.com forest double-checks with the local GC whether the service is in his or her forest. After validation it refers the user to a DC in the us.hp.com domain.
4. The user's machine contacts a DC in the us.hp.com domain. This DC can issue a service ticket to the user for the resource in the us.hp.com domain.
5. The user uses the service ticket to authenticate to the resource server in the us.hp.com domain.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy